France’s highest administrative court, the Council of State, considered on Thursday an application for interim measures filed by Google after the US digital giant was fined €100 million last December over its online cookie collection policy. EURACTIV France was at the hearing.
In its deliberation of 7 December 2020, the French data protection authority (CNIL) accused the US giant, whose European headquarters are based in Dublin, of contravening the law on information technology, files, and freedoms.
Article 82 provides that “all subscribers or users of an electronic communications service must be informed clearly and fully” unless they have been informed by the controller or his representative beforehand “of the purpose of any action tending to access, by electronic transmission, information already stored in its electronic communications terminal equipment, or to enter information in this equipment” as well as “of the means at its disposal to oppose it”.
However, the investigation conducted by the CNIL indicates “that when they arrived on the google.fr website, seven cookies were placed on their terminal equipment, before any action on their part”.
France’s data protection authority then concluded that the companies in question “did not meet the requirement of prior, clear and complete information for users, nor the requirement to obtain their consent and that the mechanism for opposing these cookies was partially defective”.
#Sanction 🔴ℹ La CNIL sanctionne Google à hauteur de 100 millions d’euros (👉https://t.co/7MQU3iYE5G) et Amazon (👉https://t.co/CL94rrvuhG) à hauteur de 35 millions d’euros pour avoir enfreint la législation française sur les cookies. pic.twitter.com/2QeTMZ6XAr
— CNIL (@CNIL) December 10, 2020
Disagreement on substance and form
Google, defended by lawyer Patrick Spinosi, showed its deep disagreement with CNIL’s “exceptional” daily penalty of €100,000 imposed for the period during which the US giant would make the necessary changes. The judge even appeared to agree with this assessment, saying that “€100,000 is still €100,000!”.
Both parties seem to agree that these changes after the US giant had already made some adjustments to its interface have now become a matter of wording and legibility for the user.
While Google considers the deadline – set for 4 April – to be far too short, the CNIL representative at the hearing considered it “largely sufficient”, noting that “there’s still a month and a half.”
“If we change the word ‘good day’ with ‘hello’, it would take us three months,” argued one of the company’s representatives.
“As soon as Google changes its banner, it must do it in all other countries,” was one of the internet giant’s arguments, which, according to the CNIL, should not even be raised since “it is not part of the injunction that was made”.
Moreover, Google also contested the CNIL’s jurisdiction. On several occasions, it expressed concern regarding the legality of this injunction, saying it was “not sufficiently clear”.
For its part, Google has appealed to the one-stop-shop mechanism provided for in the General Data Protection Regulation (GDPR) which, in its view, requires it to report on data protection matters only to the corresponding authority in the country in which it is based, namely Ireland.
The investigation has been postponed until 24 February so that the CNIL can formally respond to Google’s letter of December, which has since remained unanswered. The letter lists Google’s proposals to be implemented so as to meet the regulator’s expectations.
Without this new exchange between the two interested parties, the judge ruled that he could not yet assess the request’s level of urgency.
Google had already made the move in 2020 after the Council of State confirmed an initial €50 million fine, also imposed by the CNIL, for lack of information on the use of personal data collected by the company via its Android system.
— CNIL (@CNIL) June 19, 2020
[Edited by Frédéric Simon]